File name: | trojan3.exe |
Full analysis: | https://app.any.run/tasks/4614c6c5-a706-4ee5-88b3-5f14dd6a28c4 |
Verdict: | Malicious activity |
Threats: | Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files. |
Analysis date: | January 23, 2019, 01:13:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | A0D69C1B3F868D7030231D564E059FB1 |
SHA1: | 9090167034C7CE3D61F6E73401C48CCD78F85351 |
SHA256: | FBE0A158C362405D480D40676E5BDA3A9B97047F61661B9F72FF7AFA30F1697D |
SSDEEP: | 49152:PoMUcFI5eqRRDVsv4HHB150jqVg7HkpHMse9aglouPDAIRdPsP+fL9LQhq6/wvo/:PTUaI9OMzejqikpYbAI7XLyhq6IvorA+ |
.exe | | | NSIS - Nullsoft Scriptable Install System (94.8) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (3.4) |
.dll | | | Win32 Dynamic Link Library (generic) (0.7) |
.exe | | | Win32 Executable (generic) (0.5) |
.exe | | | Generic Win/DOS Executable (0.2) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2009:12:05 23:52:12+01:00 |
PEType: | PE32 |
LinkerVersion: | 6 |
CodeSize: | 24064 |
InitializedDataSize: | 308224 |
UninitializedDataSize: | 8192 |
EntryPoint: | 0x30fa |
OSVersion: | 4 |
ImageVersion: | 6 |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 05-Dec-2009 22:52:12 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 05-Dec-2009 22:52:12 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00005C4C | 0x00005E00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.4388 |
.rdata | 0x00007000 | 0x0000129C | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.04684 |
.data | 0x00009000 | 0x00048C58 | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.79628 |
.ndata | 0x00052000 | 0x00040000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00092000 | 0x0000F160 | 0x0000F200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.88476 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.20956 | 716 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 3.95465 | 9640 | UNKNOWN | English - United States | RT_ICON |
3 | 4.44806 | 4264 | UNKNOWN | English - United States | RT_ICON |
4 | 4.74717 | 3752 | UNKNOWN | English - United States | RT_ICON |
5 | 5.41664 | 2216 | UNKNOWN | English - United States | RT_ICON |
6 | 2.9738 | 1640 | UNKNOWN | English - United States | RT_ICON |
7 | 3.83015 | 1384 | UNKNOWN | English - United States | RT_ICON |
8 | 5.32149 | 1128 | UNKNOWN | English - United States | RT_ICON |
9 | 3.26704 | 744 | UNKNOWN | English - United States | RT_ICON |
10 | 3.05995 | 296 | UNKNOWN | English - United States | RT_ICON |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
VERSION.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3040 | "C:\Users\admin\AppData\Local\Temp\trojan3.exe" | C:\Users\admin\AppData\Local\Temp\trojan3.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 2 | ||||
2544 | "C:\Users\admin\AppData\Roaming\Temp\DOC001.exe" | C:\Users\admin\AppData\Roaming\Temp\DOC001.exe | trojan3.exe | |
User: admin Integrity Level: MEDIUM | ||||
2276 | "C:\Users\admin\AppData\Local\Temp\java.exe" -pJavajre_set7z | C:\Users\admin\AppData\Local\Temp\java.exe | DOC001.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3440 | "C:\Users\admin\AppData\Local\Temp\java1.exe" -pJavajre_set8z | C:\Users\admin\AppData\Local\Temp\java1.exe | DOC001.exe | |
User: admin Integrity Level: MEDIUM Exit code: 2 | ||||
2876 | "C:\Users\admin\AppData\Local\Temp\Javatemp\jar2.exe" | C:\Users\admin\AppData\Local\Temp\Javatemp\jar2.exe | java.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2660 | "C:\Users\admin\AppData\Local\Temp\nsl81D5.tmp\ns81E5.tmp" cmd /C copy /b %temp%\Javatemp\ini.jwd C:\Users\admin\AppData\Roaming\cppredistx86.exe | C:\Users\admin\AppData\Local\Temp\nsl81D5.tmp\ns81E5.tmp | — | jar2.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3372 | cmd /C copy /b %temp%\Javatemp\ini.jwd C:\Users\admin\AppData\Roaming\cppredistx86.exe | C:\Windows\system32\cmd.exe | — | ns81E5.tmp |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3924 | "C:\Users\admin\AppData\Local\Temp\nsl81D5.tmp\ns82D1.tmp" cmd /C copy /b %temp%\Javatemp\jare.7z1 + %temp%\Javatemp\temps.7z1 C:\Users\admin\AppData\Roaming\dhelper.exe | C:\Users\admin\AppData\Local\Temp\nsl81D5.tmp\ns82D1.tmp | — | jar2.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2720 | cmd /C copy /b %temp%\Javatemp\jare.7z1 + %temp%\Javatemp\temps.7z1 C:\Users\admin\AppData\Roaming\dhelper.exe | C:\Windows\system32\cmd.exe | ns82D1.tmp | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3384 | "C:\Users\admin\AppData\Local\Temp\nsl81D5.tmp\ns83CC.tmp" cmd /C taskkill /f /im dhelper.exe & start C:\Users\admin\AppData\Roaming\dhelper.exe | C:\Users\admin\AppData\Local\Temp\nsl81D5.tmp\ns83CC.tmp | — | jar2.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2276 | java.exe | C:\Users\admin\AppData\Local\Temp\Javatemp\ini.jwd | — | |
MD5:— | SHA256:— | |||
2876 | jar2.exe | C:\Users\admin\AppData\Local\Temp\nsl81D5.tmp\ns82D1.tmp | — | |
MD5:— | SHA256:— | |||
2876 | jar2.exe | C:\Users\admin\AppData\Local\Temp\nsl81D4.tmp | — | |
MD5:— | SHA256:— | |||
2276 | java.exe | C:\Users\admin\AppData\Local\Temp\Javatemp\jare.7z1 | executable | |
MD5:14EC03D49A0457377CD2B4F3A707D6EB | SHA256:353B4F2D3680385C364B5B7777704DDC2A126653D34BC1FCD52884F9F49A79F7 | |||
2276 | java.exe | C:\Users\admin\AppData\Local\Temp\Javatemp\jar2.exe | executable | |
MD5:E6C0BBD63D7A40F9548AA4CF00F04AE7 | SHA256:C0540983C65310C18C1070E9BA1B874307AA667147F382BF047A1E810E840CC3 | |||
2544 | DOC001.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\java[1].dat | executable | |
MD5:C5535409ED97CB0C483CD7C31CDF973D | SHA256:59044DDB0176647230470A213AD97F4385AE92D527D7A12F2F107BDC74C6BA06 | |||
2544 | DOC001.exe | C:\Users\admin\AppData\Roaming\Temp\NsCpuCNMiner32.exe | executable | |
MD5:3AFEB8E9AF02A33FF71BF2F6751CAE3A | SHA256:A0EBA3FDA0D7B22A5D694105EC700DF7C7012DDC4AE611C3071EF858E2C69F08 | |||
2876 | jar2.exe | C:\Users\admin\AppData\Local\Temp\nsl81D5.tmp\ns83CC.tmp | executable | |
MD5:37707A29BD8EFBEB912019737BB2B584 | SHA256:4751809EF6FD3CED738392E7C5DF6D4E3938D85711DAA0B52B045B5092913C27 | |||
2544 | DOC001.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk | lnk | |
MD5:0F7C6ED7B648CEB4DFFA52C5C6F91C8C | SHA256:EC7119553E26460F0E3BDF9150B01D77FC0FD1EFD72772C653CB24ED391DE641 | |||
2544 | DOC001.exe | C:\Users\admin\AppData\Local\Temp\java.exe | executable | |
MD5:C5535409ED97CB0C483CD7C31CDF973D | SHA256:59044DDB0176647230470A213AD97F4385AE92D527D7A12F2F107BDC74C6BA06 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2544 | DOC001.exe | GET | 200 | 195.208.1.107:80 | http://rucop.ru/java.dat | RU | executable | 2.04 Mb | malicious |
3952 | DOC001.exe | GET | 200 | 195.208.1.107:80 | http://kriso.ru/java12.dat | RU | executable | 200 Kb | malicious |
3396 | java12.exe | POST | 301 | 88.99.66.31:80 | http://2no.co/1ajz97 | DE | html | 178 b | whitelisted |
2544 | DOC001.exe | GET | 200 | 195.208.1.107:80 | http://kriso.ru/java1.dat | RU | executable | 1009 Kb | malicious |
3396 | java12.exe | POST | 405 | 195.208.1.107:80 | http://ioad.pw/ioad.exe | RU | html | 182 b | malicious |
2480 | dhelper.exe | GET | 404 | 208.100.26.251:80 | http://ce893c41a8.pw/index.php?a=1&h=0b76&b=1&p=d1&i=1BD7E3DD0BC6CDDD439E939EB6623F0D | US | html | 580 b | malicious |
2280 | dhelper.exe | GET | 404 | 208.100.26.251:80 | http://ce893c41a8.pw/index.php?a=1&h=0b76&b=1&p=d1&i=ACF1D54C4360908F83CB0B6A710C9862 | US | html | 580 b | malicious |
2280 | dhelper.exe | GET | 404 | 208.100.26.251:80 | http://6ae79845b2.pw/index.php?a=1&h=4f2f&b=1&p=d1&i=ACF1D54C4360908F83CB0B6A710C9862 | US | html | 580 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3396 | java12.exe | 88.99.66.31:80 | 2no.co | Hetzner Online GmbH | DE | malicious |
3396 | java12.exe | 88.99.66.31:443 | 2no.co | Hetzner Online GmbH | DE | malicious |
2544 | DOC001.exe | 195.208.1.107:80 | rucop.ru | Autonomous Non-commercial Organization Regional Network Information Center | RU | suspicious |
2480 | dhelper.exe | 208.100.26.251:80 | ce893c41a8.pw | Steadfast | US | suspicious |
3396 | java12.exe | 195.208.1.107:80 | rucop.ru | Autonomous Non-commercial Organization Regional Network Information Center | RU | suspicious |
3952 | DOC001.exe | 195.208.1.107:80 | rucop.ru | Autonomous Non-commercial Organization Regional Network Information Center | RU | suspicious |
2280 | dhelper.exe | 208.100.26.251:80 | ce893c41a8.pw | Steadfast | US | suspicious |
Domain | IP | Reputation |
---|---|---|
rucop.ru |
| malicious |
kriso.ru |
| malicious |
ce893c41a8.pw |
| malicious |
2no.co |
| whitelisted |
ioad.pw |
| malicious |
6ae79845b2.pw |
| malicious |
fa41b00ded.pw |
| unknown |
cfa7fed9a2.pw |
| unknown |
7bedab72f1.pw |
| unknown |
fe32f3c117.pw |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
2544 | DOC001.exe | A Network Trojan was detected | ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers |
2544 | DOC001.exe | Misc activity | SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer |
2544 | DOC001.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2544 | DOC001.exe | A Network Trojan was detected | ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers |
2544 | DOC001.exe | Misc activity | SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer |
2544 | DOC001.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3952 | DOC001.exe | A Network Trojan was detected | ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers |
3952 | DOC001.exe | Misc activity | SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer |
3952 | DOC001.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |